I've been reading Introduction to Modern Cryptography by Katz and Lindell as an introduction to cryptography. The book seems to use the term 'simulator' when it talks about a game like, for instance, how it defines CPA-security as an interaction between an algorithm and a simulator.

Having looked at some crypto papers, it seems like these definitions are actually called 'game-based security definitions'. If this is the case, then what exactly is meant by a simulation-based security definition?

1 Answer
1

I don't have my copy of Katz & Lindell in front of me, but using the term "simulator" in the context of, say, an IND-CPA definition, is not exactly in line with standard usage in current literature. (But still an ok choice of words which is excusable for a textbook.)

Typically the game is specified as a 2-player interaction. I prefer using the names "adversary" and "challenger" as the names of the players. The game explicitly specifies a goal condition that the adversary is trying to achieve (like correctly guessing a particular piece of hidden information).

In this style of definition, we define security via a statement of the form: for all adversaries, the probability of the condition happening does not exceed some fixed threshold.

Simulation-based:

This style of definition is often called the "real-ideal paradigm," and it has its roots in the work of Goldreich-Micali-Wigderson's 1987 paper on secure multiparty computation.

In this style of definition, the adversary's goal is not explicitly defined. Instead, we define an additional, "idealized" game which often doesn't involve any cryptography. As an example, for a task such as encryption, the "real game" might involve honest parties sending encrypted messages (and the adversary gets to see the ciphertexts), while in the "ideal game" the honest parties might have a secure physical channel, where the adversary is told only that a message was sent (and so sees no ciphertext).

Then we define security via a statement of the form: for all adversaries, there exists a simulator, so that the "adversary in the real game" and "simulator in the ideal game" achieve the same effect. Achieving the same effect typically means that the joint distribution of adversary/simulator's outputs and the honest parties' outputs are indistinguishable.

The term "simulator" is reserved for "an adversary who attacks the idealized game." It's difficult to grasp at first, but think of it this way: (1) Any attack that can be done against the real game can also be done against the ideal game. (2) But the ideal game is really simple, often defined in terms of physical security assumptions in a way that makes it obvious you'd be happy with such a world.

So the main differences are: extra quantifier for the existence of a simulator, and no explicit goal defined for the adversary. The latter condition is important in contexts like secure computation, where there is a wide variety of ways of attacking a protocol, and it's hard to enumerate game-based conditions for each kind of thing that can go wrong. Or at least, it's hard to be sure you haven't missed any subtle thing that can go wrong.